SEBI System Audit Report (SAR)
The half-yearly / annual SAR your stock broker or DP can submit on the first read.
Stock brokers and depository participants submit System Audit Reports to SEBI on a defined cycle. Macksofy delivers SARs that survive SEBI inspection because we draft them the way SEBI's auditors and inspection teams read them.
- SEBI SAR Format (annexures)
- SEBI CSCRF (2024)
- SEBI Cybersecurity Circular 2015 (transition mapping)
- Stock Exchange / Clearing Corp inspection format
- CERT-In empanelment requirement
Compliance is leverage, not paperwork.
Brokers receive SEBI penalty notices for SAR submissions that miss findings, fail to evidence remediation, or use the wrong format. Macksofy ships SARs that hit SEBI's prescribed structure verbatim, with technical evidence attached and a closure trail that addresses the most-asked SEBI inspection questions in advance.
- Trading members / clearing members / depository participants
- Qualified REs (Type-A / Type-B brokers)
- Stock brokers under SEBI's enhanced supervision
- Mutual Fund Distributors (where applicable)
- Research analysts + Investment advisors above threshold
Aligned to the regulations that matter.
How we run a SEBI SAR engagement.
Interactive walkthrough — every phase clickable, every activity documented, every artefact regulator-ready.
1 · SAR cycle scoping
- Half-yearly / annual cycle confirmation
- Auditable controls per SEBI annexures
- Asset + critical-system inventory
- 011 · SAR cycle scoping
- Half-yearly / annual cycle confirmation
- Auditable controls per SEBI annexures
- Asset + critical-system inventory
- 022 · Audit execution
- Trading platform + RMS audit
- Order management + risk management evidence
- Algo trading + DMA controls (where applicable)
- Customer-facing portal + KYC pipeline
- 033 · Cybersecurity domain
- VAPT external + internal
- Phishing / social engineering test (annual)
- Privileged access + segregation review
- Data leak + log retention audit
- 044 · SAR drafting
- SEBI prescribed annexure format
- Severity-graded findings
- Management responses + closure ETA
- Auditor opinion + signature
- 055 · Submission + closure
- Submission via member portal
- Stock Exchange / Clearing Corp queries
- Closure validation + sign-off
Everything you need to satisfy auditors.
- SEBI-format System Audit Report (annexure-compliant)
- Findings register with management response per finding
- Cybersecurity audit annexure
- Operational risk audit annexure
- Auditor opinion letter (CERT-In empanelment cited)
- Free retest within 30 days · closure letter
Half-yearly SAR (first cycle post-CSCRF)
Outcome: Submitted within SEBI deadline; zero SEBI clarification queries returned
The shape of a SEBI SAR engagement.
Every number below is grounded in how Macksofy actually runs the engagement — not aspirational marketing copy.
What we actually examine.
Each pillar is a distinct workstream inside the engagement — scoped, evidenced, and signed off independently before the audit pack is assembled.
- SAR scope per SEBI circular3 pts
- IT governance review3 pts
- Application & infra controls3 pts
- Change & incident management3 pts
- BCP / DR3 pts
- SAR submission pack3 pts
We map the SAR exactly to the SEBI circular applicable to your entity class.
- MII / Stock-Exchange / Depository / DP scope
- AMC / Broker / RIA / RTA scope
- Customised system & data inventory
Where SEBI inspectors usually pull the thread first.
- IT-strategy + steering-committee evidence
- Policy currency + board approval trail
- CISO / CTO charter + reporting lines
The technical-control evidence SEBI SAR submissions hinge on.
- Trading / DP / RTA application review
- Network segmentation + DMZ posture
- Database / endpoint / patch posture
The two areas where SEBI most often raises observations.
- Change-control gating evidence
- Major-incident root cause + SEBI notice
- Post-mortem + corrective-action log
Live drill evidence, declared RTO / RPO, recovery proof.
- Cyber-incident DR drill record
- Site-shift drill + RTO/RPO actuals
- Alternate-site readiness attestation
Assembled in SEBI's preferred submission format.
- SAR cover letter + executive summary
- Control register keyed to SEBI clauses
- Observation register + remediation tracker
From kick-off to regulator-ready report.
The horizontal flow below shows the typical week-by-week shape of a SEBI SAR engagement. Click any station for detail in the methodology section above.
Rated 4.9 ★ from 612 client reviews.
“We've worked with three Big 4 firms before Macksofy. None found what their team did in our payments stack. The most actionable report we've received in a decade.”
“The CHFI training Macksofy delivered for our cyber cell raised investigation quality measurably. Practical, India-context-aware, and respectful of our operational realities.”
“Came in with zero security background. 5 weeks later I was running Burp Suite and Metasploit confidently. Cleared CEH on the first attempt.”
Things compliance leads ask before signing.
Get a fixed-price proposal in 48 hours.
Tell us about your security need — pentest, audit, training or a wider engagement. A senior consultant will reply within a few business hours.
- CERT-In Empanelled
- EC-Council ATC · CompTIA Authorized
- 20,000+ professionals trained
- India + UAE engagements